For many years, web-based accounts have used multi-factor authentication (MFA) techniques to provide greater security than an account password alone provides, particularly for accounts having sensitive or valuable information. In one typical use case, a user opens a cloud account (e.g., an AWS® account) having a username and a password. For additional security, the user has the option to configure virtual (or hardware) MFA, which requires that another piece of authenticating information (e.g., an MFA possession factor) be provided before the user gains access to the account. Specifically, using virtual MFA, the user provides a time-based one-time password (TOTP) token generated by a TOTP-compatible application (e.g., Google Authenticator or Authy) hosted on a secondary device (e.g., a mobile device such as a smart phone). The TOTP token must be provided in addition to the username and password to gain access to the account.
One limitation of the above setup, particularly in enterprise environments, is that the account holder ultimately holds access to all of the information needed to gain access to the account, thus giving the account holder a “key to the kingdom.” What is needed is a configuration that further increases security and mitigates risk of breach by any one individual by maintaining separation of the knowledge required to access a critical account, so that at least two individuals (or teams) must come together to gain access to the account.